EUVD-2025-21053
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a limit for a unique line, permitting an attacker to explore this to allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. NOTE: This vulnerability is related to CVE-2025-53629.
Analysis
CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated remote attackers to cause denial of service by sending HTTP requests with arbitrarily large individual header lines, exploiting the absence of per-line size limits. The vulnerability affects any application using cpp-httplib as a C++ HTTP/HTTPS library component and requires only user interaction (UI:R) to trigger, with high impact across confidentiality, integrity, and availability. No active exploitation in the wild has been confirmed, but the fix availability and related CVE-2025-53629 suggest this was discovered during security review rather than active exploitation.
Technical Context
cpp-httplib is a C++11 single-file, header-only HTTP/HTTPS library providing cross-platform HTTP client/server functionality. The vulnerability resides in the HTTP header parsing logic, where the library fails to enforce maximum length constraints on individual header lines during request processing. This falls under CWE-770 (Allocation of Resources Without Limits or Throttling), a classic resource exhaustion category where unbounded allocation occurs. Unlike typical HTTP implementations that define RFC 7230-compliant limits (commonly 8KB per header line), cpp-httplib's parser accepts lines of arbitrary length, allowing an attacker to construct requests with megabyte or gigabyte-sized single headers. When the library attempts to allocate memory for these oversized lines, it can exhaust heap memory, crash the process, or degrade performance. The affected CPE would be: cpe:2.3:a:cpp-httplib:cpp-httplib:*:*:*:*:*:*:*:* with versions <0.20.1.
Affected Products
cpp-httplib (< 0.20.1)
Remediation
Upgrade cpp-httplib to version 0.20.1 or later. Since cpp-httplib is header-only, update the header files in your project and recompile.; specificity: Version 0.20.1 includes fixes for CVE-2025-53628 (per-line limits) and related CVE-2025-53629 Workaround (Temporary): Implement a reverse proxy or load balancer (nginx, HAProxy, AWS ALB) in front of applications using cpp-httplib, configured with strict header size limits (e.g., nginx: client_max_header_size 8k; client_header_buffer_size 1k). This prevents oversized headers from reaching the vulnerable library.; effectiveness: High, but does not address direct client-to-server connections Defense-in-Depth: Restrict HTTP access to trusted networks or implement rate limiting on header reception. Monitor process memory usage for anomalous growth during HTTP request parsing.; effectiveness: Medium; mitigates but does not eliminate risk
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | needed | - |
| noble | needed | - |
| plucky | ignored | end of life, was needs-triage |
| upstream | released | 0.20.1 |
| questing | needed | - |
Debian
Bug #1109340| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 0.11.4+ds-1+deb12u1 | - |
| forky, sid, trixie | vulnerable | 0.18.7-1 | - |
| experimental | fixed | 0.25.0+ds-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today